Communication in today's world is heavily based on communications networks. The development in the area of the communications networks has been tremendous especially during the past decades. However, the more important the communications networks have become the more attractive targets they are for criminals. One more and more common abuse in the communications network is so called denial of service attack (DoS). The denial of service attack is an attempt to prevent or to impair a legitimate use of a service in the communications network. Typically, the services are implemented in a manner that there is a so called host computer coupled to the communications network. The host computer is configured to maintain and host, i.e. provide, the service to the public, or limited number of people. Now, the criminals may, by arranging an attack against the host computer, prevent or at least impair the availability of a legitimate service. The host computer in this context shall be understood to cover a personal computer, a router, a server or a network or the like.
A typical way to arrange the attack against the host computer is to launch the attack from a device or system coupled to the Internet towards to the host computer. The denial of service attack comprises several sub-types but one common method of attack involves saturating the host computer with external communication requests. As a result, the host computer cannot respond to legitimate traffic, or responds so slowly, that the service can, in practice, be considered as being unavailable.
Naturally, there have been developed several ways to defend against DoS attacks. The defense can e.g. be based on so called firewall solutions, switch or router solutions, application front end hardware solutions or IPS (Intrusion-prevention systems) based prevention among others. The firewall solutions are typically based on an idea to allow or deny traffic under predetermined conditions, such as based on protocols, ports or IP addresses. The switch and router solutions are normally based on rate limiting solutions, wherein the traffic activity is monitored and based on that e.g. filtering to the data traffic can be made. Further, the application front end hardware solutions are based on an idea that some intelligent hardware is placed on the network before traffic reaches the host computers. The application front end hardware is configured to analyze data packets as they enter the system and to filter them accordingly. IPS based prevention, in turn, is based on an idea of utilizing signatures for recognizing the content.
The most common set of communication protocols used in Internet and similar networks is co called Internet protocol suite. It is commonly referred as TCP/IP (Transmission Control Protocol/Internet Protocol), because of its most important protocols TCP and IP. The Internet protocol suite provides end-to-end connectivity and it describes how data shall be formatted, addressed, transmitted, routed and received at the destination. The Internet protocol suite uses so called encapsulation to provide abstraction of protocols and services. The encapsulation is achieved by arranging different layers for different purposes in the Internet protocol suite. The layers are application layer, transport layer, network layer and link layer. The scope of the application layer is to enable communication of user data created by the applications to other processes or applications. The application layer is also referred by process-to-process communication. The transport layer is dedicated to host-to-host communication, which refers to end-to-end message transfer independently of the underlying network, along with error control, segmentation, flow control, congestion control and application addressing. The end-to-end message transmission or connecting applications at the transport layer can be categorized as either connection-oriented, implemented in TCP, or connectionless, implemented in UDP (User Datagram Protocol). The network layer, in turn, has the responsibility of sending data packets across potentially multiple networks. The internetworking requires sending data from the source network to the destination network, which is also known as routing. In the Internet protocol suite the Internet protocol performs two basic functions for the routing i.e. host addressing and identification and packet routing. The link layer is the networking scope of the local network connection to which a host is attached. The link layer is used to move data packets between the Internet layer interfaces of two different hosts on the same link.
As already mentioned the Internet protocol suite is based on the concept of encapsulation. This means that each layer in the protocol stack adds information to the data with header information. Thus, the user data is encapsulated to application data 107 into which a TCP header 105 is added, next the IP header 103 is added and finally Ethernet headers 101. The structure is illustrated in the FIG. 1. The structure does not illustrate any trailer information, such as Ethernet trailer at the end of the message structure. FIG. 1 illustrates the packet structure in case of TCP/IP, but a similar structure can also be drawn for UDP.
In FIG. 2 it is illustrated prior art solution against DoS attack by means of firewall. The FIG. 2 illustrates the following elements: host computer 201, front-end computer 203 performing firewall operations, Internet 205 and source computer (attacker) 207. For clarity reasons only one source computer is illustrated, but the number of source computers may vary and typically the DoS attacks are originating from multiple source computers 207 in order to achieve the destructive effect. The source computer 207 sends DoS data in a protocol structure complying the TCP/IP encapsulation. The DoS data is encapsulated in the application data 107 field. Now, as the state of the art DoS firewall solutions are configured to examine for example the protocol structure or IP address, the firewall does not detect that the application data contains DoS data, since the data packet seems to comply all requirements in the TCP/IP communication. Thus, the denial of service attack cannot be prevented with the prior art solutions.
A further aspect with respect to TCP protocol is the way of operation of it. The first communication from a source starts with so called TCP SYN packet, which comprises the address of the sender and the destination address of the recipient. The first communication reaches the front-end computer, which maintains firewall operations. The firewall is configured to read the destination address of the data packet from the received communication and on a basis of that to initiate the communication connection to the destination address, i.e. to the host computer, with TCP SYN frame. The host computer responds to the firewall with TCP ACK SYN frame with its own address and the destination address, i.e. firewall address. The firewall acknowledges this back to the host computer with TCP ACK frame. As a result, the communication connection is established between the host computer and the firewall.
The firewall is also configured to respond to the source computer with a TCP ACK SYN frame with at least the recipient's address as well as the its own address when the firewall is implemented in a typical way. The own address is a so called NAT-IP address (Network Address Translation).
The source computer acknowledges with TCP ACK packet to the firewall. As a result, the communication connection is established between the firewall and the source computer.
Further, the ACK packets, i.e. TCP ACK SYN and TCP ACK, as described above comprise ACK counter information, which carries information how much each of the party of the communication connection has received application data in bytes. The start value for the ACK counters of each party is defined in the TCP SYN and TCP ACK SYN frames. In addition, the status of the amount of the received application data for each of the parties is maintained in the counters. The counter information representing the total amount of data sent by the party is maintained in a Sequence Number field in the TCP frame.
After the above described handshake procedure the communication can be started in both communication connections through the firewall, which monitors and maintains the connection between the source computer and the host computer. In the worst case, the DoS data may reach the target through the communication connection, as the firewall only has checked that the protocols and their frame structures are correct.
It would be advantageous to find more sophisticated solutions in order to defend against a denial of service attack the most effective manner.